From 4c70e70f7797a8f8a9d2e3486458f80867ff1c4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Sat, 16 Mar 2024 14:56:31 +0100 Subject: [PATCH] [PATCH] Introduce `external-auth` flag to make client-side authentication methods optional --- doc/man-sections/client-options.rst | 14 ++++++++++++++ src/openvpn/options.c | 12 +++++++++--- src/openvpn/options.h | 1 + 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index b75fe5bdbad4..92f98291ab83 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -87,6 +87,20 @@ configuration. The server configuration must specify an ``--auth-user-pass-verify`` script to verify the username/password provided by the client. +--external-auth + For security reasons, OpenVPN requires client-side credentials such as + client certificates or a username/password combination. The OpenVPN server + has the capability to delegate authentication to external systems using the + WEBAUTH protocol. In such cases, client credentials may be omitted. + + ***Security Considerations*** + + When the ``--external-auth`` option is enabled in OpenVPN, it bypasses the + standard authentication checks. This configuration can potentially create a + risky environment where an OpenVPN server operates without requiring + authentication. If you opt to utilize ``--external-auth``, it's crucial to + thoroughly validate that the OpenVPN server has been adequately secured. + --auth-retry type Controls how OpenVPN responds to username/password verification errors such as the client-side response to an :code:`AUTH_FAILED` message from diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 94a88f949d6b..6224bfc696ec 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -499,6 +499,7 @@ static const char usage_message[] = " and a password on the second. If either the password or both\n" " the username and the password are omitted OpenVPN will prompt\n" " for them from console.\n" + "--external-auth : If set, client-side credentials may be provided optionally.\n" "--pull : Accept certain config file options from the peer as if they\n" " were part of the local config file. Must be specified\n" " when connecting to a '--mode server' remote host.\n" @@ -3004,12 +3005,12 @@ options_postprocess_verify_ce(const struct options *options, if (sum == 0) { - if (!options->auth_user_pass_file) + if (!options->auth_user_pass_file && !options->external_auth) { msg(M_USAGE, "No client-side authentication method is " "specified. You must use either " - "--cert/--key, --pkcs12, or " - "--auth-user-pass"); + "--cert/--key, --pkcs12, " + "--auth-user-pass, or --external-auth"); } } else if (sum != 2) @@ -7917,6 +7918,11 @@ add_option(struct options *options, options->auth_user_pass_file = "stdin"; } } + else if (streq(p[0], "external-auth") && !p[1]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + options->external_auth = true; + } else if (streq(p[0], "auth-retry") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 2b37d1fc4494..515462aafb6b 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -542,6 +542,7 @@ struct options const char *auth_user_pass_file; bool auth_user_pass_file_inline; struct options_pre_connect *pre_connect; + bool external_auth; int scheduled_exit_interval;